AEM 6.4.8.1 (CFP 1) and POST Requests

Avatar

Avatar
Validate 1
Level 1
cecheta
Level 1

Likes

2 likes

Total Posts

10 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Ignite 1
Give Back
Boost 1
View profile

Avatar
Validate 1
Level 1
cecheta
Level 1

Likes

2 likes

Total Posts

10 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Ignite 1
Give Back
Boost 1
View profile
cecheta
Level 1

04-08-2020

I have an HTML form inside an iframe that makes a POST request to an AEM servlet. The servlet path is excluded by the Adobe Granite CSRF Filter, and the host making the POST request has been added to the Allowed Hosts in the Apache Sling Referrer Filter. On AEM 6.4.8.0, everything works fine, however when upgrading to 6.4.8.1, the POST request returns a 403 Forbidden response. This is on an Author instance. The following message is seen in the Error log after making the request:

 

*INFO* [qtp691096566-2507] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials

 

How can I avoid this so the POST request is successful?

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Validate 10
MVP
kunal23
MVP

Likes

166 likes

Total Posts

565 posts

Correct reply

172 solutions
Top badges earned
Validate 10
Validate 1
Ignite 3
Ignite 1
Give Back 50
View profile

Avatar
Validate 10
MVP
kunal23
MVP

Likes

166 likes

Total Posts

565 posts

Correct reply

172 solutions
Top badges earned
Validate 10
Validate 1
Ignite 3
Ignite 1
Give Back 50
View profile
kunal23
MVP

04-08-2020

Don't do any changes to white list the host or allow anonymous requests. It is not a recommended option and is not best security practice. You can solve your problem by including CSRF framework clientlib on the page where you have created your form. ClientLib category is -  granite.csrf.standalone

More details - https://helpx.adobe.com/experience-manager/6-2/sites/developing/using/csrf-protection.html

Answers (4)

Answers (4)

Avatar

Avatar
Boost 250
MVP
ChitraMadan
MVP

Likes

273 likes

Total Posts

165 posts

Correct reply

67 solutions
Top badges earned
Boost 250
Establish
Ignite 1
Give Back 5
Give Back 3
View profile

Avatar
Boost 250
MVP
ChitraMadan
MVP

Likes

273 likes

Total Posts

165 posts

Correct reply

67 solutions
Top badges earned
Boost 250
Establish
Ignite 1
Give Back 5
Give Back 3
View profile
ChitraMadan
MVP

04-08-2020

Hi @cecheta ,

 

If you are testing this on author instance in local/staging environment, you can do below steps to test the request.

 

Go to http://localhost:4502/system/console/configMgr

Search for Apache Sling Referrer Filter

Check "Allow Empty"

Remove POST from Filter Methods

 
 

image.png

 

For Production environment, leave the default settings and test via dispatcher.

Please refer to this blog for more details How to make a simple HTTP POST request to AEM with a HTTP Rest Client, Postman - Sourced Code

 
 

Avatar

Avatar
Validate 1
Level 1
cecheta
Level 1

Likes

2 likes

Total Posts

10 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Ignite 1
Give Back
Boost 1
View profile

Avatar
Validate 1
Level 1
cecheta
Level 1

Likes

2 likes

Total Posts

10 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Ignite 1
Give Back
Boost 1
View profile
cecheta
Level 1

05-08-2020

Thank you for the replies,

@vanegi@BrianKasingli Adding the path to the list of URLs that do not require authentication certainly worked, however it feels like a bit of a workaround. Is there no other way? What has changed in v6.4.8.1? Also I am not sure how I would add a request header from an HTML form.

@ChitraMadan I don't think this is related to the Apache Sling Referrer Filter, the host that makes the POST request has already been added to the Allowed Hosts. I also tried ticking Allow Empty and removing POST from the filter methods but still got the 403.

@kunal23 The granite.csrf.standalone clientlib has already been included on the page, but not inside the iframe. However, I am not sure this issue is related to the CSRF protection, as the servlet path has already been included in the Excluded Paths section of the Adobe Granite CSRF Filter config. I also tried removing POST from the filter methods but still got the 403.

 

Your help would be much appreciated, thank you.

Avatar

Avatar
Establish
MVP
BrianKasingli
MVP

Likes

645 likes

Total Posts

607 posts

Correct reply

239 solutions
Top badges earned
Establish
Ignite 1
Give Back 5
Give Back 3
Give Back 10
View profile

Avatar
Establish
MVP
BrianKasingli
MVP

Likes

645 likes

Total Posts

607 posts

Correct reply

239 solutions
Top badges earned
Establish
Ignite 1
Give Back 5
Give Back 3
Give Back 10
View profile
BrianKasingli
MVP

04-08-2020

@cecheta,

Try @vanegi's trick, "Allow anonymous", if that does not work, you can try to send a  request header:

Authorization Basic YWRtaW46YWRtaW4=

 

Avatar

Avatar
Give Back 5
Employee
vanegi
Employee

Likes

392 likes

Total Posts

378 posts

Correct reply

148 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile

Avatar
Give Back 5
Employee
vanegi
Employee

Likes

392 likes

Total Posts

378 posts

Correct reply

148 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile
vanegi
Employee

04-08-2020

Hi @cecheta,

Have you tried checking the "Allow anonymous" in Apache Sling Authentication Service config?

 

Capture.JPG

 

Thanks!!